# Reproducible Distro Build Pipeline (Container-Based Builders)

## Module
BinaryIndex

## Status
IMPLEMENTED

## Description
Container-based reproducible build pipeline for Alpine, Debian, and RHEL packages. Rebuilds upstream source packages in isolated containers to produce reference binaries for function-level fingerprint comparison, enabling backport detection by comparing distro-patched binaries against unpatched originals.

## Implementation Details
- **Modules**: `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/`, `src/BinaryIndex/StellaOps.BinaryIndex.Worker/`
- **Key Classes**:
  - `ReproducibleBuildJob` (`src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs`) - background worker job using `IFunctionFingerprintExtractor` and `IPatchDiffEngine` to rebuild packages and compare fingerprints
  - `ReproducibleBuildOptions` - build configuration (timeout, container images, source package locations)
  - `IReproducibleBuilder` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/IReproducibleBuilder.cs`) - abstraction for container-based builds
  - `BuilderOptions` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/BuilderOptions.cs`) - builder configuration
  - `GuidProvider` (`src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/GuidProvider.cs`) - deterministic GUID generation for reproducibility
- **Integration**: Uses `IFingerprintClaimRepository` to store build verification claims; integrates with `IPatchDiffEngine` for post-build binary comparison
- **Source**: SPRINT_1227_0002_0001_LB_reproducible_builders.md

## E2E Test Plan
- [ ] Trigger a reproducible build for a Debian package and verify reference binaries are produced
- [ ] Compare distro-patched binary against unpatched original and verify fingerprint differences
- [ ] Verify container isolation: build runs in isolated container with controlled environment
- [ ] Verify `FingerprintClaim` records are generated with build provenance evidence
- [ ] Verify `GuidProvider` produces deterministic GUIDs for identical build inputs
- [ ] Verify backport detection: distro-patched binary with backported fix is correctly identified